Users Guide

ManualsBrandsDell ManualsAccess PlatformsW-3200

351

352

353

354

355

356

357

358

359

360

Dell Networking W-Series ArubaOS 6.4.x| User Guide Stateful and WISPr Authentication | 358

Chapter 13

Stateful and WISPr Authentication

ArubaOS supports stateful 802.1X authentication, stateful NTLM authentication, and authentication for

Wireless Internet Service Provider roaming (WISPr). Stateful authentication differs from 802.1X authentication

in that the controller does not manage the authentication process directly, but instead monitors the

authentication messages between a user and an external authentication server, then assigns a role to that user

based upon the information in those authentication messages. WISPr authentication allows clients to roam

between hotspots using different ISPs.

This chapter describes the following topics:

l Working With Stateful Authentication on page 358

l Working With WISPr Authentication on page 359

l Understanding Stateful Authentication Best Practices on page 359

l Configuring Stateful 802.1X Authentication on page 359

l Configuring Stateful NTLM Authentication on page 360

l Configuring Stateful Kerberos Authentication on page 361

l Configuring WISPr Authentication on page 362

Working With Stateful Authentication

ArubaOS supports three different types of stateful authentication:

l Stateful 802.1X authentication: This feature allows the controller to learn the identity and role of a user

connected to a third-party AP, and is useful for authenticating users to networks with APs from multiple

vendors. When an 802.1X-capable access point sends an authentication request to a RADIUS server, the

controller inspects this request and the associated response to learn the authentication state of the user. It

then applies an identity-based user-role through the Policy Enforcement Firewall.

l Stateful Kerberos authentication: Stateful Kerberos authentication configures a controller to monitor

the Kerberos authentication messages between a client and a Windows authentication server. If the client

successfully authenticates via a Kerberos authentication server, the controller recognizes that the client has

been authenticated and assigns that client a specified user role.

l Stateful NTLM authentication: NT LAN Manager (NTLM) is a suite of Microsoft authentication and

session security protocols. You can use stateful NTLM authentication to configure a controller to monitor

the NTLM authentication messages between a client and a Windows authentication server. If the client

successfully authenticates via an NTLM authentication server, the controller recognizes that the client has

been authenticated and assigns that client a specified user role.

The default Windows authentication method has changed from the older NTLM protocol to the newer

Kerberos protocol, starting with Windows 2000. Therefore, stateful NTLM authentication is most useful for

networks with legacy, pre-Windows 2000 clients. Also note that unlike other types of authentication, all

users authenticated via stateful NTLM authentication must be assigned to the user role specified in the

Stateful NTLM Authentication profile. Dell’s stateful NTLM authentication does not support placing users in

various roles based upon group membership or other role-derivation attributes.